Setup the VPN on Chrome OS

To get the user and server certificates, from the pfSense UI go to System / Cert. Manager.

Under the CAs tab, find the certificate used for the OpenVPN server and click the certificate export icon to export the certificate authority.

Under the Certificates tab find the User Certificate for the VPN user you want to setup. Click the box icon to export it as a P12 file.

These files need to be available on the Chrome device, you can add them to the users Google Drive, or use some other method as desired.

Install the certificates using the steps listed under “Install certificates” via the Google Support link above.
Essentially in Chrome, you need to go to chrome://settings/certificates and import the CA certificate under the Authorities tab and the user certificate under the Your Certificates tab. When it asks for a password to install the .p12 file just leave it empty.

TAYGA tunnel IPv4: 192.168.64.1 (dynamic pool: 192.168.64.0/24)
A IPv4 tunnel that is outside of the range of any subnets handled by pfsense. I used 192.168.64.0 but you can choose anything you’d like.

TAYGA tunnel IPv6: 2001:db8:1::2 (prefix: 64:ff9b::/96)
Similar to the prior tunnel subnet, except that the prefix we are using is the RFC 6052 prefix used by the public Google DNS64 service.

Step 1 – Setup TAYGA

This should be done on a basic Debian linux installation. It could be a physical machine or a virtual machine. In my case I used a VM.

Assign it a static IPv4 and IPv6 address. Modify /etc/network/interfaces

The final firewall configuration that you may want to change in pfSense, is under System / Advanced / Firewall & NAT
The following option is needed as otherwise some traffic is filtered by the pfSense firewall and things like Zoom.us video calls, and WebSocket connections will drop and come back up constantly.

Static route filtering: Bypass firewall rules for traffic
on the same interface
(check this box)

Now we’ll need to add the static routes so that the RFC 6052 prefix and IPv4 pool will be routed back to the debian machine running tayga.

Once again in pfSense go to System / Routing.
Let’s create two new gateways. Both should be on the “LAN” interface.
One with the IP of 10.1.1.3 and the other with an IP of 2001:4:1f:98::2

Next let’s create 3 static routes.

Route #1 – IPv4 pool

Destination network: 192.168.64.0 / 24Gateway: 10.1.1.3

Route #2 – IPv6 prefix

Destination network: 64:ff9b:: / 96Gatway: 2001:4:1f:98::2

Route #3 – IPv6 Tunnel Address

Destination network: 2001:db8:1::2Gatway: 2001:4:1f:98::2

Ready to test

There are services such as Google’s Chromecast that do not yet work with NAT64. But Apple is making a big push towards all apps being compatible, so it’s only a matter of time before we can run our local networks v4-free!

There is a wonderful new capability in pfSense to use Let’s Encrypt to automatically and securely generate fully recognized TLS certificates.

This is a great thing because security is important. Using self-signed certs is annoying at best. You still completely control your private key when using ACME via services such as Let’s Encrypt, so there is no security downfall to using it.

How-to use Let’s Encrypt on pfSense

Under System / Package Manager / Available Packages you should find a package called acme. Click the install button and allow it to complete.

Once installed you should find Acme Certificates under the Services menu.

The first step is to create your account keys. Enter a name, select the production server if you want this to be live.
Click “Create new account key” to generate a key and insert it into the Account key box.
Finally click the Register button and Save.

The next step is to create your certificate. Under Certificates click the Add button.
Enter the details such as the name.

In the Table you will see I selected “standalone HTTP server” and in the options set the listen port to 8082. This is important because the ACME server needs to be able to access this standalone HTTP server on port 80. We will accomplish this with a port forward rule in the next step.

Under Firewall / NAT / Port Forward create a new rule that forwards port 80 HTTP to your pfSense IP address which is 192.168.1.1 by default.
This allows the ACME server to communicate with your device to verify ownership.

Of course you can use other methods, I just found this to be the simplest option assuming that you have something already running on port 80 like I do.

Now let’s go back to Acme Certificates, and click the Issue/Renew button. If the domain name you used has correctly configured DNS, you should have a freshly minted certificate available for use under System / Cert. Manager.

To use this new certificate from the pfSense webConfigurator like I am, go to System / Advanced / Admin Access and select your new certificate under the SSL Certificate drop down menu.

My wife Melodie had the idea of having a family based business that we’d be able to do, and since we all enjoy disc sports and e-commerce is relatively easy to get into we said, hey let’s try setting up an online disc store and run the inventory from our garage!
So starting today you can now find our new family business at mydisc.ca.

We carry the awesome rubber based discs from Vibram Disc Golf, and the Canadian made discs from Daredevil Discs here in Ontario. Official Ultimate discs and the really nice flex golf discs that are great for playing in the cold.

Check it out, and if you’d like to try out some new discs we’d love to have your business!